You may also want to take a look at the HTTP_USER_AGENT in the CGI scope as well. The call from the SWF might appear different from what you might expect would be the typical user agent of a browser. Of course, there pretty much is no guarantee that those values aren't spoofed.

If you want to lock down your remote calls to ensure that you are only providing data to your internal application, your best bet is to implement a validation security routine that you can use to verify that a request is valid (assuming that you control the code behind the SWF and the CFC).